Bulgarian Hackers Were Emboldened By Anger and Weak Controls

At the turn of the millennium, hacking was one of the ways that young Bulgarians managed to vent their anger at a corrupt government that had ruined their lives and an environment that had largely allowed their activities to go unpunished. Hackers like Andrey Bogomil (not his real name) spent their time in internet cafes or at home chatting to each other on ICQ while testing their skills against foreign companies and organisations. “We felt let down by the US. They promised that we would be better off if we were not part of communism, but we were worse,” he says.

In 1999, Bulgarian hackers cracked the internet site of the US Senate and the Varna Hacker Group left messages for the Senators. At the time, Andrey was unable to afford a decent computer. He had an Intel 386 processor-based board which had no case and was exposed to the elements. It was kept cool by a household fan. Yet all night it was used to download illegal movies and music from foreign sites which Andrey would distribute to his friends.

Andrey’s friends were experts at creating software cracks. Western software was being sold in legitimate stores for prices which put it out of the range of even most Bulgarian businesses. Cracked software was the antidote to this problem and Andrey’s work was found on market stalls. He did not make much cash out of his work, but he made more than he did at his day job.

Some of that changed when Bulgaria joined the EU. Pressure from the software industry meant that the government had to take a token stand against the pirates. Since this entailed police visiting market stalls, all that meant was that the stock had to be stored in a building close to the square and copied on demand. People would watch out for police and their stalls could vanish in an instant.

Piracy was reduced, but not in the consumer market. As internet bandwidth became cheaper and more reliable, the market stalls were replaced by software and movie torrent sites. The hackers continued their work but Andrey said that it started to take a darker turn.

“The Mutra (Mafia) started to discover that there was money to be made online… often with extortion and they recruited a number of my friends to work for them,” he says.

The local press refers to the Mutra as “businessmen”. They drive around Sofia in uniform black Mercedes G500 SUVs with blacked-out windows, and holes in the side that appear designed for a drive-by shooting. The soldiers of these crime families are not difficult to spot either. They have black tee shirts that are so tight around their ample muscles they could have been sprayed on; they have shaved heads, tattoos and white lumpy faces slashed with dark glasses.

“They have the money, the girls, and hired my friends for what they called security work,” Andrey said.

“Security work” ranged from hacking other businessmen’s networks to actual criminal work. When Verizon released its 2013 Data Breach Investigations Report analysing data breaches around the world it found that hackers in foreign countries, particularly China, Romania, Bulgaria and Russia are responsible for many of the attacks on businesses large and small that result in data breaches. Given the size of Bulgaria, a country with a population of just seven million, that was a particularly infamous statistic.

Bulgaria’s reputation for hacking grew. In 2010 it was revealed that Bulgarian hackers had been hired by four Americans to access a site for ticket sales and stole 1.5 million concert tickets valued at US$25m.

According to Bulgarian press reports, the country had developed a reputation for being the number one in the world in making ATM skimming devices to steal card details at cashpoint systems. In some cases, existing cyber gangs just started working with the Mutra, others tried to go it alone. Last year, according to the government, the most powerful was the Cyber Warrior Invasion (CWI) group.

A Ministry of the Interior spokesman said that the CWI was operating like a Mutra gang. Its members used cyber-terrorist methods and had compromised several major financial and internet-based companies’ services. He said that the CWI cracked computer systems, finding flaws or deficiencies in the construction of numerous governmental and non-governmental sites, shared software for its members to hack and distribute stolen data from credit cards from around the world.

By mid-2012, the group had attacked over 500 different websites worldwide, the government claimed. It was co-ordinated through a site at www.cwi-group.org which changed its location and used a complex system of "zombie" proxy servers.

The government said the CWI had a strict hierarchical order and was structured into different groups according to their levels of access and power: Administrators, Moderator, Scanning team, Donors and Sponsors, Sectional Moderators, Friends, VIP Members and group members. The Chief Directorate for Combating Organised Crime carried out an unprecedented countrywide operation in the cities of Pleven, Shumen, Plovdiv, Burgas, Haskovo, Stara Zagora and Kyustendil.

Andrey and his friends were sceptical about the police raids. What made the raids unusual was that they were the first. Despite Bulgaria’s reputation it is nearly impossible for police to get a hacking conviction to stick, so they do not bother. Andrey pointed to the fact that the police seized only four laptops and five desktops, seven thumb drives, three hard drives and 200 CDs in the raids.

“That is not a big operation or, if it is, they have only arrested one or two of the key players. In Bulgaria they give the Mutra government jobs; it is more likely that the CWI had managed to anger a real bad guy who asked his government friends to close it down. I would like to see [the government] do something similar against [he names a well-known Mutra “businessman”]. [But instead] they just moved against the CWI because they were a softer target.”

Andrey thinks that the scale of hacking operations in Bulgaria is still not as large as its reputation seems to suggest. This is backed up by local businessmen who say that hacking is not as big a problem to them as it would be in the UK or the US. One businessman told me that the hackers tend to go after more interesting international targets rather than local targets. It is worth pointing out that he did not want his name or company mentioned just in case the hackers changed their minds…

Andrey tells me that the hacking scene is quieter these days and it is the Romanians and Russians who are superior hackers.

“It is hard for me to admit it,” he said. “I have a lot of national pride, but these guys generally are better at it than us, and it is them that are doing most of the serious illegal stuff.”

Nick Farrell is a freelance writer who was born in New Zealand and recently migrated from Bulgaria to Italy. He writes widely on technology, magic and the esoteric.